On Tue, Oct 10, 2017 at 11:18 AM, Tim Golden <mail at timgolden.me.uk> wrote:
> On 2017-10-10 10:58, Chris Angelico wrote:
>> On Tue, Oct 10, 2017 at 8:56 PM, Tim Golden <mail at timgolden.me.uk> wrote:
>>> In fact its presence in that filename creates a (usually hidden) data
>>> stream piggybacked onto that file which has the name "abc" into which the
>>> data is written.
>>> So, following on, the follow works:
>>> assert open("temp.txt:abc").read() == "abc"
>> Cool. Does it require that temp.txt exist first? And if you have
>> multiple colons (as in the OP's), does the part after the second colon
>> have to be a type indicator?
> No. temp.txt is created empty.
> Multiple colons *does* appear to be a syntax error in the filename.
Colon in a file path (not a device name) is a reserved character
that's used to reference NTFS file streams. The colon is not part of
the name of either the base file/directory or the stream. You can
check whether a volume supports named streams by calling
GetVolumeInformation. If they're supported, then lpFileSystemFlags
will contain the flag FILE_NAMED_STREAMS.
The complete spec is "FileName:StreamName:StreamType". When a regular
file is opened, NTFS defaults to opening the anonymous data stream,
"FileName::$DATA". When a directory is opened, NTFS defaults to
opening "DirName:$I30:$INDEX_ALLOCATION", i.e. the $I30 stream of type
$INDEX_ALLOCATION. A directory can also have named $DATA streams, but
it can't have an anonymous $DATA stream because that would be
ambiguous in general.
Other stream types used internally in NTFS include $FILE_NAME,
$REPARSE_POINT, $OBJECT_ID, $ATTRIBUTE_LIST, $INDEX_ROOT, and $BITMAP.
But these are of little interest unless you specialize in forensics or
are supporting NTFS on another OS.